1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 342
Выбрать главу

Review board

The authority responsible for evaluating and approving or disapproving proposed changes to a system and ensuring implementation of approved changes. This is a management and preventive control.

Review techniques

Passive information security testing techniques, generally conducted manually, used to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. Review techniques include documentation review, log review, ruleset review, system configuration review, network sniffing, and file-integrity checking.

Revision

A change to a baseline configuration item that encompasses error correction, minor enhancements, or adaptations but to which there is no change in the functional capabilities.

Revoked state

The cryptographic key lifecycle state in which a currently active cryptographic key is not to be used to encode, encrypt, or sign again within a domain or context.

Reuse

Any use of a preexisting software artifact (e.g., component and specification) in a context different from that in which it was created.

Rijndael algorithm

Cryptographic algorithm specified in the advanced encryption standard (AES).

Ring topology

Ring topology is a network topology in which all nodes are connected to one another in the shape of a closed loop, so that each node is connected directly to two other nodes, one on either side of it. These nodes are attached to repeaters connected in a closed loop. Two kinds of ring topology exist: token ring and token bus.

Risk

(1) A measure of the likelihood and the consequence of events or acts that could cause a system compromise, including the unauthorized disclosure, destruction, removal, modification, or interruption of system assets. (2) The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. (3) It is the chance or likelihood of an undesirable outcome. In general, the greater the likelihood of a threat occurring, the greater the risk. A risk determination requires a sign-off letter from functional users. (4) A risk is a combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting adverse impact. (5) It is the probability that a particular security threat will exploit a system’s vulnerability. Reducing either the vulnerability or the threat reduces the risk. Risk = Threat + Vulnerability.

Risk adaptive or adaptable access control (RAdAC)

In RAdAC, access privileges are granted based on a combination of a user’s identity, mission need, and the level of security risk that exists between the system being accessed and a user. RAdAC uses security metrics, such as the strength of the authentication method, the level of assurance of the session connection between the system and a user, and the physical location of a user, to make its risk determination.

Risk analysis

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards (controls) that mitigate this impact. It is a part of risk management and synonymous with risk assessment.

Risk assessment

The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, incorporates threat and vulnerability analyses, and considers mitigations provided by planned or in-place security controls.

Risk index

The difference between the minimum clearance/authorization of system users and the maximum sensitivity (e.g., classification and categories of data processed by a system).

Risk management

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations resulting from the operation of an information system. It includes (1) establishing the context for risk-related activities, (2) assessing risk, (3) responding to risk once determined, and (4) monitoring risk over time. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. This is a management and preventive control.

Risk Management = Risk Assessment + Risk Mitigation + Risk Evaluation.

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls and countermeasures recommended from the risk assessment process.

Risk monitoring

Maintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions.

Risk profile

Risk profiling is conducted on each data center or computer system to identify threats and to develop controls and polices in order to manage risks.

Risk reduction

The features of reducing one or more of the factors of risk (e.g., value at risk, vulnerability to attack, threat of attack, and protection from risk).

Risk response

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations and assets, individuals, or other organizations.

Risk tolerance

The level of risk an entity is willing to assume in order to achieve a potential desired result.

Rivest-Shamir-Adelman (RSA) algorithm

A public-key algorithm used for key establishment and the generation and verification of digital signatures, encrypt messages, and provide key management for the data encryption standard (DES) and other secret key algorithms.

Robust authentication

Requires a user to possess a token in addition to a password or PIN (i.e., two-factor authentication). This type of authentication is applied when accessing an internal computer systems and e-mails. Robust authentication can also create one-time passwords.

Robust programming

Robust programming, also called defensive programming, makes a system more reliable with various programming techniques.

Robustness

A characterization of the strength of a security function, mechanism, service, or solution, and the assurance (or confidence) that it is implemented and functioning correctly.

Role

(1) A distinct set of operations required to perform some particular function. (2) A collection of permissions in role-based access control (RBAC), usually associated with a role or position within an organization.

Role-based access control (RBAC)

(1) Access control based on user roles (e.g., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals. (2) A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities. It is an access control based on specific job titles, functions, roles, and responsibilities.

Role-based authentication

~ 342 ~